Warning: Permanently added 'ci-upstream-next-kasan-gce-4,10.128.0.3' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   47.540902] ==================================================================
[   47.548401] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[   47.555409] Write of size 8 at addr ffff8801cd813688 by task syzkaller125515/2988
[   47.563019] 
[   47.564652] CPU: 1 PID: 2988 Comm: syzkaller125515 Not tainted 4.14.0-rc2-next-20170928+ #31
[   47.573224] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.582570] Call Trace:
[   47.585157]  dump_stack+0x194/0x257
[   47.588787]  ? arch_local_irq_restore+0x53/0x53
[   47.593450]  ? show_regs_print_info+0x65/0x65
[   47.597953]  ? __internal_add_timer+0x275/0x2d0
[   47.602622]  print_address_description+0x73/0x250
[   47.607467]  ? __internal_add_timer+0x275/0x2d0
[   47.612117]  kasan_report+0x25b/0x340
[   47.615903]  __asan_report_store8_noabort+0x17/0x20
[   47.620898]  __internal_add_timer+0x275/0x2d0
[   47.625371]  ? calc_wheel_index+0x200/0x200
[   47.629696]  mod_timer+0x622/0x15b0
[   47.633305]  ? mod_timer_pending+0x14e0/0x14e0
[   47.637869]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   47.642877]  ? trace_hardirqs_on+0xd/0x10
[   47.647095]  ? _crng_backtrack_protect+0xd9/0x130
[   47.651919]  ? __lock_is_held+0xbc/0x140
[   47.655955]  ? __lockdep_init_map+0xe4/0x650
[   47.660340]  ? lockdep_init_map+0x3d/0x70
[   47.664461]  ? rcu_read_lock_sched_held+0x108/0x120
[   47.669461]  ? init_timer_key+0x126/0x3b0
[   47.673585]  ? try_to_del_timer_sync+0x120/0x120
[   47.678322]  ? round_jiffies_up+0xce/0x100
[   47.682531]  ? __round_jiffies_up_relative+0x150/0x150
[   47.687781]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   47.692697]  __tun_chr_ioctl+0x1beb/0x3e40
[   47.696916]  ? tun_chr_read_iter+0x1e0/0x1e0
[   47.701304]  ? lock_downgrade+0x990/0x990
[   47.705449]  ? handle_mm_fault+0x410/0x8d0
[   47.709668]  ? __do_page_fault+0x31e/0xd60
[   47.713899]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   47.719757]  ? up_read+0x1a/0x40
[   47.723109]  ? tun_chr_compat_ioctl+0x30/0x30
[   47.727575]  tun_chr_ioctl+0x2a/0x40
[   47.731263]  ? tun_chr_ioctl+0x2a/0x40
[   47.735127]  do_vfs_ioctl+0x1b1/0x1530
[   47.738987]  ? _cond_resched+0x14/0x30
[   47.742855]  ? ioctl_preallocate+0x2b0/0x2b0
[   47.747240]  ? selinux_capable+0x40/0x40
[   47.751274]  ? putname+0xf3/0x130
[   47.754703]  ? do_sys_open+0x320/0x6d0
[   47.758573]  ? security_file_ioctl+0x89/0xb0
[   47.762959]  SyS_ioctl+0x8f/0xc0
[   47.766304]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   47.771028] RIP: 0033:0x443db9
[   47.774192] RSP: 002b:00007ffd4c89dca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   47.781882] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[   47.789134] RDX: 0000000020c63fd8 RSI: 00000000400454ca RDI: 0000000000000004
[   47.796378] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[   47.803621] R10: 0000000000000000 R11: 0000000000000206 R12: b95c938f617463e2
[   47.810952] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000
[   47.818214] 
[   47.819814] Allocated by task 2988:
[   47.823414]  save_stack_trace+0x16/0x20
[   47.827360]  save_stack+0x43/0xd0
[   47.830782]  kasan_kmalloc+0xad/0xe0
[   47.834465]  __kmalloc_node+0x47/0x70
[   47.838247]  kvmalloc_node+0x64/0xd0
[   47.841933]  alloc_netdev_mqs+0x16d/0xed0
[   47.846054]  __tun_chr_ioctl+0x1386/0x3e40
[   47.850258]  tun_chr_ioctl+0x2a/0x40
[   47.853943]  do_vfs_ioctl+0x1b1/0x1530
[   47.857799]  SyS_ioctl+0x8f/0xc0
[   47.861140]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   47.865865] 
[   47.867465] Freed by task 2988:
[   47.870721]  save_stack_trace+0x16/0x20
[   47.874670]  save_stack+0x43/0xd0
[   47.878092]  kasan_slab_free+0x71/0xc0
[   47.881949]  kfree+0xca/0x250
[   47.885025]  kvfree+0x36/0x60
[   47.888101]  free_netdev+0x2cf/0x360
[   47.891784]  __tun_chr_ioctl+0x2df6/0x3e40
[   47.895986]  tun_chr_ioctl+0x2a/0x40
[   47.899687]  do_vfs_ioctl+0x1b1/0x1530
[   47.903545]  SyS_ioctl+0x8f/0xc0
[   47.906902]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   47.912236] 
[   47.913838] The buggy address belongs to the object at ffff8801cd810280
[   47.913838]  which belongs to the cache kmalloc-16384 of size 16384
[   47.926826] The buggy address is located 13320 bytes inside of
[   47.926826]  16384-byte region [ffff8801cd810280, ffff8801cd814280)
[   47.939027] The buggy address belongs to the page:
[   47.943928] page:ffffea0007360400 count:1 mapcount:0 mapping:ffff8801cd810280 index:0x0 compound_mapcount: 0
[   47.953875] flags: 0x200000000008100(slab|head)
[   47.958528] raw: 0200000000008100 ffff8801cd810280 0000000000000000 0000000100000001
[   47.966381] raw: ffffea0007548220 ffffea000738ee20 ffff8801dac02200 0000000000000000
[   47.974239] page dumped because: kasan: bad access detected
[   47.979919] 
[   47.981517] Memory state around the buggy address:
[   47.986415]  ffff8801cd813580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.993752]  ffff8801cd813600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.001082] >ffff8801cd813680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.008409]                       ^
[   48.012004]  ffff8801cd813700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.019334]  ffff8801cd813780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.026662] ==================================================================
[   48.034000] Disabling lock debugging due to kernel taint
[   48.039423] Kernel panic - not syncing: panic_on_warn set ...
[   48.039423] 
[   48.046752] CPU: 1 PID: 2988 Comm: syzkaller125515 Tainted: G    B           4.14.0-rc2-next-20170928+ #31
[   48.056505] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.065832] Call Trace:
[   48.068392]  dump_stack+0x194/0x257
[   48.071986]  ? arch_local_irq_restore+0x53/0x53
[   48.076623]  ? vprintk_default+0x28/0x30
[   48.080654]  ? __internal_add_timer+0x1e0/0x2d0
[   48.085291]  panic+0x1e4/0x417
[   48.088450]  ? __warn+0x1d9/0x1d9
[   48.091876]  ? __internal_add_timer+0x275/0x2d0
[   48.096510]  kasan_end_report+0x50/0x50
[   48.100450]  kasan_report+0x144/0x340
[   48.104217]  __asan_report_store8_noabort+0x17/0x20
[   48.109197]  __internal_add_timer+0x275/0x2d0
[   48.113673]  ? calc_wheel_index+0x200/0x200
[   48.117966]  mod_timer+0x622/0x15b0
[   48.121564]  ? mod_timer_pending+0x14e0/0x14e0
[   48.126120]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   48.131102]  ? trace_hardirqs_on+0xd/0x10
[   48.135273]  ? _crng_backtrack_protect+0xd9/0x130
[   48.140087]  ? __lock_is_held+0xbc/0x140
[   48.144116]  ? __lockdep_init_map+0xe4/0x650
[   48.148500]  ? lockdep_init_map+0x3d/0x70
[   48.152614]  ? rcu_read_lock_sched_held+0x108/0x120
[   48.157597]  ? init_timer_key+0x126/0x3b0
[   48.161710]  ? try_to_del_timer_sync+0x120/0x120
[   48.166435]  ? round_jiffies_up+0xce/0x100
[   48.170636]  ? __round_jiffies_up_relative+0x150/0x150
[   48.175880]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   48.180790]  __tun_chr_ioctl+0x1beb/0x3e40
[   48.184997]  ? tun_chr_read_iter+0x1e0/0x1e0
[   48.189380]  ? lock_downgrade+0x990/0x990
[   48.193507]  ? handle_mm_fault+0x410/0x8d0
[   48.197714]  ? __do_page_fault+0x31e/0xd60
[   48.201922]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   48.207772]  ? up_read+0x1a/0x40
[   48.211108]  ? tun_chr_compat_ioctl+0x30/0x30
[   48.215569]  tun_chr_ioctl+0x2a/0x40
[   48.219249]  ? tun_chr_ioctl+0x2a/0x40
[   48.223103]  do_vfs_ioctl+0x1b1/0x1530
[   48.226954]  ? _cond_resched+0x14/0x30
[   48.230809]  ? ioctl_preallocate+0x2b0/0x2b0
[   48.235184]  ? selinux_capable+0x40/0x40
[   48.239212]  ? putname+0xf3/0x130
[   48.242633]  ? do_sys_open+0x320/0x6d0
[   48.246492]  ? security_file_ioctl+0x89/0xb0
[   48.250867]  SyS_ioctl+0x8f/0xc0
[   48.254201]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   48.258920] RIP: 0033:0x443db9
[   48.262075] RSP: 002b:00007ffd4c89dca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   48.269746] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[   48.276984] RDX: 0000000020c63fd8 RSI: 00000000400454ca RDI: 0000000000000004
[   48.284219] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[   48.291462] R10: 0000000000000000 R11: 0000000000000206 R12: b95c938f617463e2
[   48.298696] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000
[   48.305977] Dumping ftrace buffer:
[   48.309492]    (ftrace buffer empty)
[   48.313169] Kernel Offset: disabled
[   48.316766] Rebooting in 86400 seconds..